The Basics of the California Consumer Privacy Act (CCPA) That Everybody Needs To Know
In less than two months, California Consumer Privacy Act (CCPA) will be coming into force.
Despite its young age, however, like the GDPR, the CCPA has already made quite the impact.
Not only did the CCPA face strong opposition from a number of (primarily tech) companies, it has also helped the USA finally make the pivot towards privacy. In fact, following the passing of the Act, a number of other states have passed or proposed similar legislation.
Yet, like any piece of legislation, the Act can be difficult to understand. And it certainly does not help that it has undergone over 15 different proposed amendments.
So, to help clear up any confusion you may have, we have put together this short guide to the CCPA. Read on to learn about how the Act may affect you, what rights it grants, and how it is different from the GDPR.
Who is protected by the Act?
Officially, the Act grants rights to all natural persons who are California residents. Residents are defined as those who are in the state other than for “temporary or transitory purposes” and any individuals whose permanent home is in California, but are temporarily outside of the state.
But the CCPA may eventually incentivize companies to extend the same rights to those outside of California, as doing so may not only help them save money, but also solidify their brand as privacy friendly. Microsoft has already promised to do so.
What types of organizations does it apply to?
Unlike the GDPR, the CCPA only applies to for-profit organizations. Not just any businesses however. It only applies to those companies that do business in California, collect personal information of individuals or on the behalf of which the data is collected, and that meet one of the following criteria:
- have annual gross revenues of more than 25 million USD
- receive or disclose the personal information of 100,000+ California residents or households annually
- derive 50%+ of their annual revenues from selling California residents’ personal information
The Act does not affect non-profits or charities. It also does not affect smaller businesses that process very little data about California residents.
It is also important to note that the act only applies to organizations that determine the purposes and means of the processing of the personal information. Service providers, for-profit entities that processes the data on behalf of the organizations that fall under the CCPA, are not directly obligated to do anything, other than follow the directions of the businesses they work for.
In other words, the CCPA only directly affects organizations that meet the aforementioned criteria AND make decisions about the personal information they collect.
What counts as personal information?
Personal information is similar to the concept of personal data under the GDPR.
More specifically, the CCPA defines the term as information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This includes the following types of data:
- Biometric data
- Household purchase data
- Family information (e.g. how many children)
- Financial information
- Sleep habits
What rights does the CCPA give to consumers?
The CCPA grants Californians the following rights that can be exercised for free:
Right to delete personal information that a business holds about them (as well as any of the service providers or third parties that businesses has shared that information with).
Right to know the categories of information that a company wants to collect and the purposes of the collection at or before the point of collection.
- Right to know what information was collected, used, shared or sold about them in the previous 12 months, as well as the for what purposes it was processed. This also includes the categories of third parties with whom the business shared the personal information.
- Right to opt-out of the sale of personal information and sensitive data profiling. This means that individuals have the right to ensure not only that their data is not being sold, but also that their sensitive personal information is not being disclosed for advertising and marketing purposes.
Right to not be discriminated against in terms of prices or service provision, if they choose to exercise any of their CCPA related rights.
- Right to receive their data in a portable and usable format that allows the transmission of the data to third parties.
What are the relevant timelines?
A company has 45 days from the time of the request to respond. They may also extend this deadline by an additional 45 days, if they let the individual know within the first 45 days AND provide a reason.
There is also a restriction on the number of requests an individual can make to the same company within a one-year period. A business does not have to provide access to personal information more than two times within 12 months.
It is also important to note that when an individual chooses to opt-out of the sale of their personal information, refuses to opt-in for financial incentive programs, or opt out of data collection, the company must respect this decision for 12 months. After 12 months, the company may once again seek consent from the individual.
How can individuals make requests?
At the very least, organizations have to provide a toll-free telephone number and a website page for request submissions.
Specifically for the right to opt-out, the company’s homepage must include a link to the page “Do Not Sell My Personal Information”.
What exceptions or exclusions exist under the Act?
Almost every definition in the CCPA includes a number of exclusions and exceptions. Here are just a few key exclusions to know about:
- medical information, since it is covered by other laws and regulations
- data collected as part of clinical trials
- information that is publicly available through government records
- personal information that is sold by or to consumer reporting agencies
Additionally, the CCPA has a fixed definition of “selling” that excludes the following situations:
- an individual explicitly and intentionally directing an organization to disclose their personal information to a third party. This does NOT include things like hovering over or closing third-party content.
- sharing of data with service providers that is necessary for business purposes.
- letting service providers know that an individual has chosen to opt-out.
In terms of the right to deletion, the exceptions that exist include:
- information that is considered free speech or is protected by other laws
- data processed for research purposes, if deleting the information would severely impact the research
- information necessary for legal prosecution or protection against illegal activities
- data that legally has to be retained
Who is the supervisory authority responsible for overseeing the Act?
The California Attorney General is responsible for enforcing the California Consumer Privacy Act.
What are the penalties for non-compliance?
The CCPA allows for both civil penalties and civil remedies.
This means that the supervisory authority (the California Attorney General) can bring a civil action against a company for non-compliance and individuals can seek monetary compensation for damages.
For civil penalties, the Act allows a court to issue up to 2,500 USD for each violation and 7,500 USD for each intentional violation or violation that involves children. There is no maximum amount that can be imposed, if there are several violations.
For civil remedies, a court can issue damages between 100 and 750 USD per consumer per incident or actual damages, whichever is greater.
However, an individual can only seek this kind of compensation, if non-encrypted or non-redacted personal information is disclosed or stolen due to a violation of security obligations.
What about children? How will it affect them?
Under the CCPA, a business cannot collect the personal information of an individual, if they are aware that they are younger than 16, unless the individual (aged 13 to 16) has provided affirmative consent to the collection of their data. If the child is younger than 13, their guardian may provide this consent for them.
So unlike adults, children will have the right to opt-in (rather than opt-out).
Where can I get more information?
You can read the entire act on the California Attorney General’s website.
Californians for Consumer Privacy, founded by the billionaire Alastair Mactaggart, also run a website dedicated to information about the CCPA. On their website, you can also learn about the new bill they have proposed – the California Privacy Rights and Enforcement Act.
If you are specifically interested in how the CCPA is different from the GDPR, you can check out the handy guide that the Future of Privacy Forum has created.